You cannot access the folders in the SMS Administrator console from a computer that is running Windows XP Professional Service Pack 2 (878456)


The information in this article applies to:

  • Microsoft Windows XP Professional Service Pack 2 (SP2)
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you use the Microsoft Systems Management Server (SMS) Administrator console on a computer that is running Microsoft XP Professional with Service Pack 2 (SP2), you cannot open the folders in the console tree.

This problem occurs even though you have followed the steps to add the Unsecapp.exe program and TCP port 135 to the list of programs and services on the Exceptions tab of Windows Firewall. (These steps are described on the SMS "Site Systems Frequently Asked Questions" Web page on the Microsoft TechNet Web site. For more information, see the "References" section.)

Additionally, every time that you click various folders, such as the Collections, Packages, or Sites folders, you may receive the following error in the SMS\Logs\Adminui.log file:
Error: Possible UI connection error code is -2147217406

CAUSE

This behavior occurs if the following Group Policy setting is enabled:

Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC Clients



Note By default, this Group Policy setting is disabled.

This behavior may also occur if Kerberos authentication is not used to authenticate to the target domain. If Kerberos authentication is not used, Windows Management Instrumentation (WMI) queries are delivered as anonymous. The DCOM protocol in Microsoft Windows XP SP2 does not permit anonymous sessions and blocks the calls to the SMS server.

Note DCOM is a Windows protocol that can be used on top of the remote procedure call (RPC) protocol by client and server programs.

RESOLUTION

To resolve this behavior, disable the Group Policy setting for RPC authentication that blocks the DCOM protocol, and then make sure that Kerberos authentication is working correctly.

Disable the Group Policy setting

You can change the RPC authentication setting by using the Group Policy Object Editor or by modifying the Windows Registry.

Method 1: Change the RPC authentication setting by using the Group Policy Object Editor

  1. Open Active Directory Users and Computers.
  2. In the left pane, right-click Your_Domain_Name object, and then click Properties.
  3. Click the Group Policy tab, click the Group Policy that you want to modify, and then click Edit.
  4. Under the Computer Configuration node, expand the Administrative templates\System folder.
  5. Click the Remote Procedure Call folder.
  6. In the right pane, right-click Restrictions for Unauthenticated RPC Clients, and then click Properties.
  7. Click Disabled, and then click OK.
  8. Close the Group Policy Object Editor.
  9. Click OK, and then close Active Directory Users and Computers.

Method 2: Change the RPC authentication setting by modifying the Windows registry

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

  3. Click the RPC key.
  4. In the right pane, right-click RestrictRemoteClients, and then click Modify.
  5. In the Value data box, type 0, and then click OK.
  6. Quit Registry Editor.

Verify Kerberos authentication

Verify that Kerberos authentication is working correctly on your network.

For additional information about Kerberos authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

280830 Kerberos authentication may not work if user is a member of many groups

262177 How to enable Kerberos event logging

244474 How to force Kerberos to use TCP instead of UDP

REFERENCES

For additional information about enabling anonymous access in DCOM, click the following link to view the "Site Systems Frequently Asked Questions" topic on the Microsoft TechNet Web site:

http://www.microsoft.com/technet/prodtechnol/sms/sms2003/Techfaq/tfaq02.mspx#XSLTfaqSection125122121120120

After the Web page opens, click the following question:

When I open the SMS Administrator console on my computer with Windows XP SP2, most of the items in the console tree don't open. What should I do?
Modification Type:MajorLast Reviewed:8/25/2004
Keywords:kbtshoot kbprb KB878456 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.